If you work under the assumption that virtually everything is already compromised (except in a few extremely secure cases), then you will be well served. Because in fact, most things are compromised, it's just that nobody has found out about the compromise in most cases.
IoT should be specifically limited in a home for this reason. I try to limit my IoT, and when possible isolate it to specific VLANS, and always ensure a strict policy on the internet and only allow specific domains required for device operation. Working from the assumption everything is compromised.
Right now, I have a thermostat, smoke alarm and space heater in the guest bedroom as my basic IoT devices. But it is required in the cases of those devices. For example without an App, the space heater cannot be scheduled to go on and off or remotely notify me if it was left on. My thermostat is required, I use the IoT aspect of that constantly. My cameras can't talk out, internal server with cloud storage of the clips. My DVR's are restricted to traverse the WAN only during a short 45 minute window each night for programming updates. That pretty much wraps up the IoT around here.
Once again, my assumption is - it's all been compromised.